Authorizing network access for IoT devices Mohit Sethi Tuomas Aura - PowerPoint PPT Presentation

Authorizing network access for IoT devices Mohit Sethi Tuomas Aura

Outline • Authorizing local network and Internet access for IoT devices • Cloud-managed network-access authoriza=on • Bootstrapping security between device and cloud • EAP-NOOB

Authorizing network access for IoT devices • New off-the-shelf devices need Internet access • for vendor and third-party services in the cloud • for soGware update

Authorizing network access for IoT devices Two problems: • Discovery and configura=on: which network? • For example, need to find the right SSID and cloud server • Security bootstrapping: iden=fiers and creden=als? • For connec=ng to the network • For connec=ng to the cloud

Authorizing network access for IoT devices Challenges: • Limited user interface • Scalability • At home, small office, enterprise or industrial environment • Clueless users vs. professional admins and support • On the other hand, same devices everywhere • Wi-Fi (WPA-Personal and WPA Enterprise), Zigbee, BTLE

Authorizing network access for IoT devices Current Solu=ons for network access authoriza=on: • Manual configura=on and key distribu=on • Pairing with smart phone over Bluetooth • Wifi (Un)Protected Setup (WPS) • Managed solu=ons • RADIUS / DIAMETER / 802.1x • Vendor and enterprise cer=ficates

Cloud-managed network access authoriza=on • Delega=ng network access authoriza=on and isola=on decisions to a remote cloud-based service • Device vendors or third par=es IoT Device Vendor AP RADIUS IoT Server RADIUS device Client AAA Server

Cloud-managed solu=ons Some open ques=ons: • RADIUS implementa=ons are quite limited • Can’t expect users to understand and configure RADIUS • Limi=ng the power of delegates in my LAN? • Interopera=on of mul=ple delegates in my LAN? • Isola=ng devices within my LAN • Monitoring the behavior of my devices • Mul=-homed, mobile and mul=-owner devices

EAP-NOOB draB-aura-eap-noob hEps://github.com/tuomaura/eap-noob Tuomas Aura Mohit Sethi

EAP-NOOB • Nimble out-out-of-band authen=ca=on for EAP What is special? • No pre-exis=ng creden=als or associa=on needed • User-assisted OOB authen=ca=on associates peer device to authen=ca=on server What is it good for? • Secure bootstrapping of cloud-connected smart appliances • Newly unboxed devices have no creden=als or owner

EAP-NOOB user experience example aalto.fi aalto.fi aalto.fi AAA/cloud account login

EAP-NOOB • Device registra=on to cloud and user account + network access authorized – in one step • Single user-assisted out-of-band message between peer device and AAA server How is this possible?

Scenario: cloud-connected IoT appliance Remote AAA IoT appliances (in cloud) Local AAA Wireless AP Scan Trust

Scenario: cloud-connected IoT appliance Remote AAA IoT appliances (in cloud) Local AAA Wireless AP Scan Trust EAP in-band RADIUS rouFng @eap-noob.net OOB Web page Output / API / Input User-assisted OOB channel

EAP-NOOB • Device registra=on to cloud and user account + network access authorized – in one step • Single user-assisted out-of-band message between peer device and AAA server How is this possible? • In-band communica=on through EAP tunnel before network access is authorized • User has an account in the cloud-based AAA server and has secure access, e.g. HTTPS • Access network trusts the AAA server

EAP-NOOB in the background 1. EAP-NOOB iniFal aalto.fi exchange: ECDH in-band 3. EAP-NOOB 2. OOB message: compleFon: secret + hash aalto.fi aalto.fi authenFcaFon and key confirmaFon in-band AAA/cloud account login

EAP-NOOB security • ECDH key exchange in-band + authen=ca=on out-of-band • OOB message in only one direc=on: peer to server or server to peer • OOB channels must protect confiden=ality or integrity (both not needed) • Addi=onally, user checks that registra=on was successful or, if it was not, resets the peer device

EAP-NOOB details • OOB channels: dynamic QR code, dynamic NFC NDEF message, audio cable • Associa=on becomes persistent un=l reset by user. Rekeying happens without user interac=on • Poten=al providers of cloud-based service: device vendor, ISP, content provider, third-party • Mainly for device-cloud associa=on. Ok for device- device pairing, but not necessarily op=mal • Roaming (e.g. in eduroam) possible aGer first associa=on at home network

EAP-NOOB lessons • Security bootstrapping = device registra=on, taking ownership • Device names and iden=fiers oGen not available and cannot be trusted. Physical access iden=fies the device • Vendor cer=ficates can prove device model and capabili=es • Avoid rerun of user-assisted step at all cost • AGer a few =mes, average user just won’t bother • Sending engineer on-site is expensive and does not scale • Protocol must recover from accidental and malicious failures • Timeout, retry and back-off intervals difficult to decide when human user is part of the protocol • Algorithm agility is harder with no permanently secure master keys • EAP is useful also in home networks

Next challenges So, a third-party AAA server authorizes off-the-shelf devices to use my access network! • Monitoring device behavior in access network • Situa=onal awareness for access network owner • Isola=on of devices from the access network (e.g. guest VLAN) and from each other • Authorized access to services and other devices in the access network • Limi=ng the power of the cloud-based third-party AAA server • Mul=ple co-exis=ng third-party AAA servers